FAQ for Auditors: CAS 402 – Service Organizations
In today’s complex business environment, entities are increasingly outsourcing certain business activities to third-party organizations, which could impact the auditor’s assessment of the risks of material misstatement. In November 2023, the Canadian Public Accountability Board (CPAB) published a communication, Audit Considerations Relating to an Entity Using Services Organizations: Strengthening Audit Quality which highlighted challenges and observed findings related to audits of entities using service organizations. This CPA Canada publication is intended to assist auditors in the application of CAS 402, Audit Considerations Relating to an Entity Using a Service Organization, based on common FAQs and deficiencies identified.
The FAQs addressed in this publication will help auditors of financial statements in:
- Evaluating whether a third-party organization is considered a service organization as per CAS 402
- If a service organization is identified, obtaining an understanding of the nature and significance of the services provided by the service organization and their effect on the user entity's system of internal control, sufficient to:
- provide an appropriate basis for the identification and assessment of the risks of material misstatement in accordance with CAS 315, Identifying and Assessing the Risks of Material Misstatement; and
- design and perform audit procedures responsive to those risks in accordance with CAS 330, The Auditor’s Response to Assessed Risks.
- Discussing the implications of using services from third-party organizations with management, as described in the Appendix: Audit Client Briefing